Re: [PATCH 2/9] configs: remove orphan dependencies of NETFILTER_XTABLES_LEGACY

[Paul Walmsley]

On Tue, 17 Mar 2026, Vincent Mailhol (Arm) wrote:

> Since its introduction in commit 9fce66583f06 ("netfilter: Exclude
> LEGACY TABLES on PREEMPT_RT."), the configurations below all depend,
> either directly or indirectly, on CONFIG_NETFILTER_XTABLES_LEGACY:
> 
>   - CONFIG_NETFILTER_XT_TARGET_CHECKSUM
>   - CONFIG_IP_NF_FILTER
>   - CONFIG_IP_NF_TARGET_REJECT
>   - CONFIG_IP_NF_NAT
>   - CONFIG_IP_NF_TARGET_MASQUERADE
>   - CONFIG_IP_NF_MANGLE
>   - CONFIG_IP6_NF_FILTER
>   - CONFIG_IP6_NF_TARGET_REJECT
>   - CONFIG_IP6_NF_MANGLE
>   - CONFIG_IP6_NF_NAT
>   - CONFIG_IP6_NF_TARGET_MASQUERADE
> 
> This new dependency caused many symbols to become orphaned, meaning
> their dependencies are no longer satisfied and Kconfig drops them from
> the final configuration.
> 
> Note that CONFIG_NFT_COMPAT is another parent dependency, so the
> above-listed symbols would not become orphaned as long as NFT_COMPAT
> is present.
> 
> Considering that these are legacy options and that nobody complained
> in recent kernel releases when these options were already missing, it
> is safe to assume they can be removed.
> 
> Suppress all these configuration symbols in all the defconfig files
> that have neither CONFIG_NETFILTER_XTABLES_LEGACY nor
> CONFIG_NFT_COMPAT set.
> 
> FYI, the suppressions were done using:
> 
>   git grep -z -L -E '^CONFIG_(NETFILTER_XTABLES_LEGACY|NFT_COMPAT)=(y|m)$' -- 'arch/*/configs/*defconfig' |\
>     xargs -0 sed -i -E '/^CONFIG_(NETFILTER_XT_TARGET_CHECKSUM|IP_NF_FILTER|IP_NF_TARGET_REJECT|IP_NF_NAT|IP_NF_TARGET_MASQUERADE|IP_NF_MANGLE|IP6_NF_FILTER|IP6_NF_TARGET_REJECT|IP6_NF_MANGLE|IP6_NF_NAT|IP6_NF_TARGET_MASQUERADE)=(y|m)$/d'
> 
> Fixes: 9fce66583f06 ("netfilter: Exclude LEGACY TABLES on PREEMPT_RT.")
> Signed-off-by: Vincent Mailhol (Arm) <mailhol@xxxxxxxxxx>

Acked-by: Paul Walmsley <pjw@xxxxxxxxxx> # arch/riscv


- Paul